Applications Security

Get Involved. Join the Conversation.

Topic

    Tori Rowe
    Data Access and Security Role for Contingent Worker...
    Topic posted March 29, 2018 by Tori RoweSilver Medal: 2,000+ Points, tagged HCM, Security 
    467 Views, 30 Comments
    Title:
    Data Access and Security Role for Contingent Worker Administrator
    Summary:
    We would like to create a custom role for an administrator who will only manage data for Contingent Workers.
    Content:

    We would like to create a new custom role in HCM Cloud for an administrator who will only have access to manage data for contingent workers.  When they search in Person Management, only contingent workers should display.  We would also like for them to have access to add a new contingent worker to the system, but they should not be able to add a new employee.  Has anyone created a role like this and if so, would you mind sharing the roles that were added to create this custom role? 

    Comment

     

    • Yanna Autry

      Hello,

      For the Security role itself, you can copy the Human Resource Specialist role, then remove privileges to Hire New employee or add nonworker, etc.

      Then for data access, have you tried to create and tested the option, where you create a Person Security Profile and give access as you would normally do, but add Person Type (check box to "Secure by Person Type", click on the plu sign and select Contingent Worker)? I attached a screenshot of what I am referring to for this part.

      ~Yanna

       

      • Tori Rowe

        Yanna,

        That makes sense.  Thank you for your help! 

        -Tori

      • Tori Rowe

        I spent some time working on this issue and am still facing some difficulties.  Here are the steps I took: 

        1. I created the role for Contingent Worker Administrator and limited the job roles and privileges.  FYI - I am including the privilege "Manage Person Work Area" for this role because the employee in this role should have access to the Person Management work area but only should be able to pull up Contingent Workers.

        2. I created a new Person Security Profile and it is set up with the data restriction on "Person Type" of Contingent Worker only as you suggested above. 

        3. I went to the "Manage Data Roles and Security Profiles" area and pulled up the new role I created for Contingent Worker Administrator - then I added the new Person Security Profile on the Security Criteria screen under the "Person" section and the "Public Person" section.   

        4. I assigned the Contingent Worker Administrator role to an employee in the Security Console area. 

        After completing these steps and running the Scheduled Process called "Import User and Role Application Security Data job" to refresh, I logged in as the employee who I assigned the new role to.  However, I was still able to search for and view data for all employees in the Person Management area.  Do you know if I missed a step?  It seems like this should work and I cannot figure out what I am doing wrong.  

        Thanks for your help :-) 

        Tori

        • Karen Waddell

          Tori,

          We haven't used the data restriction on Person Type since we used the SQL below.  However, for the Employee you assigned your new Role too try removing the Employee Role.  You might need to wait a few minutes for the roles to refresh for the user.

          Regards,

          Karen Waddell

        • Yanna Autry

          I apologize I misunderstood what exactly you were looking for and gave you the opposite of what I thought would work for you.

          I had put in "View All Organization" at the bottom of the Person Security Profile--I would not add it. Also, if you want them to see Contingent, then I'd make it "All" not restricted.

    • Karen Waddell

      Tori,

      Will the user hire new Contingent Workers which are Pending Workers?  If yes, you may need to define Custom Security for the Person Security Profile.  We have used the following and have not restricted on Person Type:

      EXISTS
      (SELECT 1
      FROM PER_ALL_ASSIGNMENTS_M ASG
      WHERE ASG.ASSIGNMENT_ID = &TABLE_ALIAS.ASSIGNMENT_ID
      AND SYSDATE BETWEEN LEAST(SYSDATE,ASG.EFFECTIVE_START_DATE) AND ASG.EFFECTIVE_END_DATE
      AND ASG.EFFECTIVE_LATEST_CHANGE='Y'
      AND ASG.ASSIGNMENT_TYPE IN ('C','P')
      AND ASG.SYSTEM_PERSON_TYPE IN ('PWK','CWK')
      AND (ASG.proposed_worker_type IS NULL
      OR (ASG.Proposed_worker_type IN (SELECT person_type_id FROM per_person_types WHERE system_person_type = 'CWK'))
      ))

      We also allow our users who manage Contingent Workers to Add new Pending Workers but they do have access to create the new Person as either a Contingent worker or Employee but if they created a Person as an Employee they cannot hire them.  The above also restricts access to Person Management.

      Regards,

      Karen Waddell

      • Tori Rowe

        Karen,

        This is very helpful, thank you!  For now, we are not hiring anyone into HCM as pending workers, but it is something that we may want to start doing in the future.  I appreciate the help! 

        Tori 

    • Mansur Khalil

      It does not matter even if the Employee role is assigned.

      Attached are the screenshots of the Roles which i have created to make this work. 

      Please let me know if you have any questions on the same.

      Thanks

      Mansur Aulam

       

      • Karen Waddell

         Mansur,

        The reason I suggested to remove the Employee Role is because Roles can conflict one another and if you assign one at a time it helps to determine where the configuration issue might be.

        Regards,

        Karen Waddell

        • Mansur Khalil

          Hi Karen

          Thanks for your inputs. 

          The role which has been created to Add just the contingent workers is  showing up only the Add contingent Worker. but when we try to Add a Contingent Worker the Legal Employer LOV does not return any Legal Employers.

          I have attached a screenshot with all the roles i have with Custom Role, could you please let me know if i am missing something which is preventing this user to see the legal employers while adding the contingent workers.

          Thanks

          Mansur Aulam

           

          • Karen Waddell

            Mansur,

            Can you re-attach your screenshot as I cannot see it?  Can you also let me know what you have defined as part of the Data Role configuration?

            Regards,

            Karen Waddell

            • Mansur Khalil

              Hi Karen

              I have attached role details. Please let me know if you have any questions on the same.

              Thanks

              Mansur

            • Mansur Khalil

              Here is the file with roles

              • Karen Waddell

                Mansur,

                How did you define the Data Role & Security Profile?  This is configured by navigating to Setup and Maintenance > Assign Security Profiles to Roles.

                Regards,

                Karen Waddell

                • Mansur Khalil

                  I have defined the Data Role from Assign Security Profiles and the Security profile from Person Security Profile , Organization Security Profile.

                  Thanks

                  Mansur

                  • Karen Waddell

                    Mansur,

                    We haven't restricted the Organization Security Profile and we have it set to 'View All Organizations'.  Is your Data Role associated with your Predefined Role or have you created a separate Role?  If you have created a separate role have you also assigned both Roles to you User?

                    Regards,

                    Karen Waddell  

                    • Mansur Khalil

                      Hi Karen

                      I have not associated both the roles to the user. for this role there is no Organization Security Profile setup. Do you think we should have attached to the data role?

                      Thanks

                      Mansur Aulam

                       

                      • Karen Waddell

                        Mansur,

                        The Organization Security Profile is a mandatory field; therefore, I'm not sure what you have defined.  Can you send me a screen shot of the Data Roles Security Criteria and the Search Results on the Manage Data Roles and Security Profiles pages. 

                        If you do create a separate Data Role to the Predefined Role then you do need to attach both Roles to the User.

                        Regards,

                        Karen Waddell

                        • Mansur Khalil

                          Karen,

                          Please find the attached document for the screenshots.

                          Let me know if you need any more details.

                          • Karen Waddell

                            Mansur,

                            Can you try the following:

                            1) Manage Person Security Profile:
                            Since you have defined Custom Criteria you shouldn't need to restrict by Person Type.  Can you remove the Contingent Worker Person Type?  Can you also check the Include future people checkbox?

                            2) Assign Security Profiles:
                            When you Edit the Role the 'Edit Data Role: Role Details' page is displayed.  Click on the Next button and the 'Edit Data Role: Security Criteria' page is displayed.  Do you have the Organization Security Profile & Legilsative Data Group set?  They are displayed on your screen shots.

                            When you search for 'MK Contingent%' what is the Status of both Roles?  Can you send me a screen shot of this page?

                            3) User Account:
                            Have you assigned both Roles to the User?  Can you send me a screen shot of the Landing Page and the New Person page where your user would create a Pending Worker?

                            Regards,

                            Karen Waddell

                            • Mansur Khalil

                              the reason i added the contingent worker person type is to restrict this user to be able to search only Contingent Workers not Employees. 

                              I have assigned both the Job role and data  role to the user.

                              Do you want the screenshot from Security console or the screenshot from the Assign Security Profiles?

                              Thanks

                              Mansur Aulam

                              • Mansur Khalil

                                Do you have the Organization Security Profile & Legilsative Data Group set?

                                I am not able to see these since i have not set them up for this role.

                                Thanks

                              • Karen Waddell

                                Mansur,

                                Can you send me the screen shot from the Assign Security Profiles page?  Yes we always set the Organization Security Profile & Legislative Data Group as they are mandatory fields.

                                The Custom Criteria which has been added to your Person Security Profile - does this not restrict Contingent Workers?  If yes, then you don't need to restrict the Person Type.

                                Regards,

                                Karen Waddell

                                • Mansur Khalil

                                  Here is the screenshot for the Assign Security Profiles for the data role. Its the same for the job role as well.

                                  the person security profile which has been created is being called in the data role security. If you dont call that person security profile the user can see everyone including employees.

                                  Thanks

                                  Mansur

                                  • Karen Waddell

                                    Mansur,

                                    As part of our configuration our Job Role (the one with the Predefined Status) does not have a Security Profile assigned.  We created a new Role (the Data Role) which Inherits from the Job Role.  The Data Role has the following defined:

                                    - Organization Security Profile -> View All Organizations
                                    - Public Person -> Our defined Person Security Profile
                                    - Position -> View All Positions
                                    - Countries -> View All Countries
                                    - Legislative Data Group -> View All Legislative Data Groups
                                    - Person -> Our defined Person Security Profile
                                    - Document Type -> View All Document Types
                                    - Payroll -> View All Payrolls
                                    - Payroll Flow -> View All Flows

                                    As part of our configuration because we have no Security Profile associated with the Job Role and we've created a specific Data Role both Roles need to be assigned to the User.

                                    Regards,

                                    Karen Waddell

    • Mansur Khalil

      Hi Karen

      I have created job role a copy of HR Specialist role and then removed those privileges like Hire an Employee, Non Worker and pending worker etc.

      Then I have created a person security profile in which it selects only the contingent workers. So this has taken care of the data secuirity.

      Created a data role which is inherited from the job role, now this has got all of the security profiles in the security. Added the person security profile and everything seems to be working fine. i could now see the legal employer, workforce structures etc for the Addition of new contingent workers and updates to the existing contingent workers.

      I have hidden the icons on springboard and links on Navigator using EL for this role.

      Everything is now working fine now.

      Thanks

      Mansur Aulam

       

    • Helen Bennallack

      We are at the very early stages of implementing Cloud from EBS and have been told we should use Oracle generic roles as creating our own will cause issues with quarterly upgrades and Oracle support etc

      In EBS we have created specific roles to control what data users can be see and also if they have read only or update access. Please can you advise me if creating your own roles has caused you extra progression testing on the quarterly updates or any other issues that would other wise not have occurred. This being after the roles have been successfully set up and assigned to users.

      Many thanks,

      Helen

       

      • Karen Waddell

        Helen,

        We have created our own Roles and Security Profiles and have been live for almost 2 years with absolutely no problems with upgrades.  The Role definitions do not get changed when you upgrade (this is exactly the same as EBS); although you do need to read the upgrade documentation in order to add new privileges or remove privileges which are no longer required.  The advantage of using our own roles and security is we can ensure people do not get access to areas of the application which they should not (this also saves personalizing the application on numerous pages); we restrict person type access; we provide read only access to OTBI; and our roles are not cluttered with functionality which users do not use.

        Personally, I believe it is best practice to define your own Roles and Security Profiles; and this was something I have always believed in with EBS.

        Regards,

        Karen Waddell

    • Helen Bennallack

      Thank you Karen,

      That is exactly what I was thinking.

      Helen